Hi,
I am adding a `prune` option to `ipa-cacert-manage` (as discussed in https://pagure.io/freeipa/issue/7404). The test for this option would be to have an expired cert installed and check that it is deleted after running the command, but I'm not sure how to add an expired certificate in first place. Any pointers on this?
Thank you!
On to, 04 helmi 2021, Antonio Torres via FreeIPA-devel wrote:
Hi,
I am adding a `prune` option to `ipa-cacert-manage` (as discussed in https://pagure.io/freeipa/issue/7404). The test for this option would be to have an expired cert installed and check that it is deleted after running the command, but I'm not sure how to add an expired certificate in first place. Any pointers on this?
See ipatests/test_integration/test_caless.py, it has several tests that deal with expired certificates. There is a helper that creates CA setup for CA-less setup and aside from creating a normal external CA/certs, it automatically adds expired certificates, intentionally valid in past.
So when a test in test_caless.py calls create_pki(), it gets a bunch of certificates created for all IPA services: - normal ones - certificates with a bad organization name - certificates with an alternative organization name - certificates which already expired by the time of create_pki() run - certificates which aren't yet valid - certificates with a bad usage - already revoked certificates
They all have predictable names (see gen_server_certs() for details), so can be applied with any host and tests do use this a lot.
Hi Alexander,
The problem with create_pki() is that apparently certs are not added to the database -- running create_pki() and then listing the certs with `ipa-cacert-manage list` will not list additional certificates.
On Thu, Feb 4, 2021 at 1:23 PM Alexander Bokovoy abokovoy@redhat.com wrote:
On to, 04 helmi 2021, Antonio Torres via FreeIPA-devel wrote:
Hi,
I am adding a `prune` option to `ipa-cacert-manage` (as discussed in https://pagure.io/freeipa/issue/7404). The test for this option would be to have an expired cert installed and check that it is deleted after running the command, but I'm not sure how to add an expired certificate in first place. Any pointers on this?
See ipatests/test_integration/test_caless.py, it has several tests that deal with expired certificates. There is a helper that creates CA setup for CA-less setup and aside from creating a normal external CA/certs, it automatically adds expired certificates, intentionally valid in past.
So when a test in test_caless.py calls create_pki(), it gets a bunch of certificates created for all IPA services:
- normal ones
- certificates with a bad organization name
- certificates with an alternative organization name
- certificates which already expired by the time of create_pki() run
- certificates which aren't yet valid
- certificates with a bad usage
- already revoked certificates
They all have predictable names (see gen_server_certs() for details), so can be applied with any host and tests do use this a lot.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
Hi Antonio,
On pe, 05 helmi 2021, Antonio Torres via FreeIPA-devel wrote:
Hi Alexander,
The problem with create_pki() is that apparently certs are not added to the database -- running create_pki() and then listing the certs with `ipa-cacert-manage list` will not list additional certificates.
No, this is not a problem. Since create_pki() is a helper, it generates all the certificates/keys/etc in the temporary directory you provided. See CALessBase.install method how this is set up in tests. Then you can use generated files to import into IPA during your test in the way you want.
On Thu, Feb 4, 2021 at 1:23 PM Alexander Bokovoy abokovoy@redhat.com wrote:
On to, 04 helmi 2021, Antonio Torres via FreeIPA-devel wrote:
Hi,
I am adding a `prune` option to `ipa-cacert-manage` (as discussed in https://pagure.io/freeipa/issue/7404). The test for this option would be to have an expired cert installed and check that it is deleted after running the command, but I'm not sure how to add an expired certificate in first place. Any pointers on this?
See ipatests/test_integration/test_caless.py, it has several tests that deal with expired certificates. There is a helper that creates CA setup for CA-less setup and aside from creating a normal external CA/certs, it automatically adds expired certificates, intentionally valid in past.
So when a test in test_caless.py calls create_pki(), it gets a bunch of certificates created for all IPA services:
- normal ones
- certificates with a bad organization name
- certificates with an alternative organization name
- certificates which already expired by the time of create_pki() run
- certificates which aren't yet valid
- certificates with a bad usage
- already revoked certificates
They all have predictable names (see gen_server_certs() for details), so can be applied with any host and tests do use this a lot.
Hi Alexander,
Yes, I understand how to generate the certificates needed for the test. However, I don't know how to have them installed so that `ipa-cacert-manage list` actually lists them, since installing them with `ipa-cacert-manage install` fails when installing expired / non-valid certificates.
On Fri, Feb 5, 2021 at 1:27 PM Alexander Bokovoy abokovoy@redhat.com wrote:
Hi Antonio,
On pe, 05 helmi 2021, Antonio Torres via FreeIPA-devel wrote:
Hi Alexander,
The problem with create_pki() is that apparently certs are not added to the database -- running create_pki() and then listing the certs with `ipa-cacert-manage list` will not list additional certificates.
No, this is not a problem. Since create_pki() is a helper, it generates all the certificates/keys/etc in the temporary directory you provided. See CALessBase.install method how this is set up in tests. Then you can use generated files to import into IPA during your test in the way you want.
On Thu, Feb 4, 2021 at 1:23 PM Alexander Bokovoy abokovoy@redhat.com
wrote:
On to, 04 helmi 2021, Antonio Torres via FreeIPA-devel wrote:
Hi,
I am adding a `prune` option to `ipa-cacert-manage` (as discussed in https://pagure.io/freeipa/issue/7404). The test for this option would be to have an expired cert installed and check that it is deleted after running the command, but I'm not sure how to add an expired certificate in first place. Any pointers on this?
See ipatests/test_integration/test_caless.py, it has several tests that deal with expired certificates. There is a helper that creates CA setup for CA-less setup and aside from creating a normal external CA/certs, it automatically adds expired certificates, intentionally valid in past.
So when a test in test_caless.py calls create_pki(), it gets a bunch of certificates created for all IPA services:
- normal ones
- certificates with a bad organization name
- certificates with an alternative organization name
- certificates which already expired by the time of create_pki() run
- certificates which aren't yet valid
- certificates with a bad usage
- already revoked certificates
They all have predictable names (see gen_server_certs() for details), so can be applied with any host and tests do use this a lot.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
On pe, 05 helmi 2021, Antonio Torres via FreeIPA-devel wrote:
Hi Alexander,
Yes, I understand how to generate the certificates needed for the test. However, I don't know how to have them installed so that `ipa-cacert-manage list` actually lists them, since installing them with `ipa-cacert-manage install` fails when installing expired / non-valid certificates.
Possible approaches:
1. jump back in time and generate use create_pki() with individual cert_dir
2. jump half-way forward and install IPA master with integrated CA
3. replace some server certificates with the certs from (1), this will put CA from (1) into the internal store.
4. jump about 1 year before expiration of the CA from (1) and generate a new CA using create_pki() in a separate cert_dir
5. Switch to the new certificates from (4) and jump right beyond CA from (1) in future
Now you should have expired CA from (1) in the store and valid server certificates from (4).
See ipatests/test_integration/test_ipa_cert_fix.py for a simple fixture that jumps back/forth in time.
On Fri, Feb 5, 2021 at 1:27 PM Alexander Bokovoy abokovoy@redhat.com wrote:
Hi Antonio,
On pe, 05 helmi 2021, Antonio Torres via FreeIPA-devel wrote:
Hi Alexander,
The problem with create_pki() is that apparently certs are not added to the database -- running create_pki() and then listing the certs with `ipa-cacert-manage list` will not list additional certificates.
No, this is not a problem. Since create_pki() is a helper, it generates all the certificates/keys/etc in the temporary directory you provided. See CALessBase.install method how this is set up in tests. Then you can use generated files to import into IPA during your test in the way you want.
On Thu, Feb 4, 2021 at 1:23 PM Alexander Bokovoy abokovoy@redhat.com
wrote:
On to, 04 helmi 2021, Antonio Torres via FreeIPA-devel wrote:
Hi,
I am adding a `prune` option to `ipa-cacert-manage` (as discussed in https://pagure.io/freeipa/issue/7404). The test for this option would be to have an expired cert installed and check that it is deleted after running the command, but I'm not sure how to add an expired certificate in first place. Any pointers on this?
See ipatests/test_integration/test_caless.py, it has several tests that deal with expired certificates. There is a helper that creates CA setup for CA-less setup and aside from creating a normal external CA/certs, it automatically adds expired certificates, intentionally valid in past.
So when a test in test_caless.py calls create_pki(), it gets a bunch of certificates created for all IPA services:
- normal ones
- certificates with a bad organization name
- certificates with an alternative organization name
- certificates which already expired by the time of create_pki() run
- certificates which aren't yet valid
- certificates with a bad usage
- already revoked certificates
They all have predictable names (see gen_server_certs() for details), so can be applied with any host and tests do use this a lot.
-- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland
freeipa-devel@lists.fedorahosted.org
-
Alexander Bokovoy -
Antonio Torres